1267614 – 1.8.14 breaks authentication

Bug 1267614 - 1.8.14 breaks authentication

Summary: 1.8.14 breaks authentication

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	subversion
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-30 14:08 UTC by Harald Reindl
Modified:	2016-07-19 18:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-19 18:04:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Harald Reindl 2015-09-30 14:08:41 UTC

1.8.14 breaks for years now working setups 

i realized the "move svnauthz to -tools" and installed "subversion-tools" followed by a hard restart of httpd, no change, downgrade and all is working fine again - sorry but not acceptable for a minor update
____________________________________________________

1.8.14:

[Wed Sep 30 15:44:48.133571 2015] [authz_svn:error] [pid 24348] [client 10.0.0.99:50460] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:46:14.068687 2015] [authz_svn:error] [pid 5177] [client 10.0.0.99:50462] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:52:52.755016 2015] [authz_svn:error] [pid 5175] [client 10.0.0.99:50494] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:54:13.702543 2015] [authz_svn:error] [pid 24351] [client 10.0.0.99:50510] Access denied: - OPTIONS :/contentlounge/modules/dns

[harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss"
svn: E175013: Übertragen schlug fehl (Details folgen):
svn: E175013: Unable to connect to a repository at URL 'http://svn/contentlounge/modules/dns'
svn: E175013: Zugriff auf »/contentlounge/modules/dns« verboten
____________________________________________________

Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64
Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64

[harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss"
Sende              modules/dns/gui.php
Sende              modules/dns/library.php
Übertrage Daten ..
Revision 3939 übertragen
____________________________________________________

Comment 1 Joe Orton 2015-10-02 18:09:39 UTC

What's the auth config?

Comment 2 Joe Orton 2015-10-02 18:14:35 UTC

I don't get the comment about svnauthz: that happened in 1.8.13-7, which has been in f22 stable for a few months.  Was your config broken with that package too?

Comment 3 Harald Reindl 2015-10-02 18:19:31 UTC

Please read my report again - first the broken version is mentioned in the subject, then you see apache logs with the error messages and under a spacer line the downgrade log followed by the successful commit

Comment 4 Harald Reindl 2015-10-02 18:23:30 UTC

I am currently not on my computer and need to seek the config because i configured subversion once in my life in 2007 without any changes and honestly even don't remember hiw - followed a how-to 

mod_dav_svn and running with httpd at least i can say for now

Comment 5 Harald Reindl 2015-10-03 01:49:25 UTC

 <VirtualHost *:443>
  ServerName             "svn.test.rh"
  Options                +Indexes +Multiviews -FollowSymLinks
  SSLCertificateFile     "conf/ssl/rhsoft.net.pem"
  SSLEngine              On
  KeepAlive              On
  SSLUseStapling         Off
  <Location />
   AllowMethods          OPTIONS PROPFIND GET POST HEAD REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE
   Require               ip 127.0.0.1
   Require               ip 10.0.0.0/24
   Require               ip 192.168.1.0/24
   DAV                   svn
   SVNPath               "/svn/updateservice/subversion"
   SVNListParentPath     On
   AuthType              Basic
   AuthName              "Versionsverwaltung"
   AuthUserFile          "/etc/httpd/conf/svn_passwd"
   AuthzSVNAccessFile    "/etc/httpd/conf/svn_access"
   Require               valid-user
   <IfModule mod_security2.c>
    SecRuleEngine        Off
   </IfModule>
  </Location>
  <IfModule mod_headers.c>
   Header always set "Strict-Transport-Security" "max-age=31536000"
  </IfModule>
 </VirtualHost>
</IfModule>

Comment 6 Harald Reindl 2015-10-15 11:39:41 UTC

obviously it's a change in 1.8.14 with the dumb default of "AuthzSVNAnonymous On", after add "AuthzSVNAnonymous Off" inside the <Location>-directive it works again

likely one of that changes without change the "AuthzSVNAnonymous"
default proper which sould not be enabled at all without saying so

 * mod_authz_svn: do not leak information in mixed anonymous/authenticated
   httpd (dav) configurations (CVE-2015-3184)
 * do not leak paths that were hidden by path-based authz (CVE-2015-3187)

Comment 7 Joe Orton 2015-10-16 12:40:49 UTC

Interesting, thanks.  I'm confused by this, I couldn't reproduce it, though there's a report upstream of similar issues with 1.8.14 and mod_auth_kerb where the 401 is not getting triggered.

You don't have have a "Satisfy" present anywhere else in the configuration by any chance?

Comment 8 Harald Reindl 2015-10-16 12:45:59 UTC

no, while i think "Satisfy" is a httpd 2.2 thing and not supported in 2.4 there maybe <Directory> settings overlaying the vhost somehow (complex setup) but it's a unexpected regression anyways for a minor update - however solved with "AuthzSVNAnonymous Off"

[root@srv-rhsoft:/etc/httpd/conf]$ cat *.conf | grep -i Satisfy
[root@srv-rhsoft:/etc/httpd/conf]$ cd sites_enabled/
[root@srv-rhsoft:/etc/httpd/conf/sites_enabled]$ cat *.conf | grep -i Satisfy

Comment 9 Fedora End Of Life 2016-07-19 18:04:05 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.